Cybersecurity researchers at Proofpoint have discovered an undocumented downloader which is called AdvisorsBot due to the word “advisors” used in the command-and-control (C&C) domains. The modular downloader has been noticed spreading via malicious spam emails primarily targeting restaurants, hotels, and telecommunications[1].

IT specialists indicate the actor who is distributing AdvisorsBot as TA555 and warn users to be vigilant. Currently, the analysis revealed that AdvisorsBot is a first-stage payload which is used as a fingerprinting module to identify its targets and conduct further infections.

It is essential to know that even though AdvisorsBot was first discovered in May 2018, its contrivers are actively upgrading the malicious program and distributing it worldwide. According to the researchers, AdvisorsBot is currently rewritten in .NET and PowerShell[2] which allows making presumptions about potential attacks in the future.

The analysis of the malicious spam email campaigns pushing AdvisorsBot revealed that there were three types of electronic letters which were designed to address hotels, restaurants, and telecommunications separately. However, researchers indicate that the campaigns were not well-developed since malicious emails reached numerous non-related targets[3].

Nevertheless, the first email was created to impersonate a double charge case aiming to infect hotel networks. The electronic letter contained the so-called credit card proof as evidence. Unfortunately, the attachment named as “statement (6).doc” is merely a disguise to trick hotel employees into executing malicious macros for AdvisorsBot.

The second campaign mainly targeted restaurants with the fake food poisoning issue. The supposed victims claimed that their attorneys are filing a lawsuit and asked to settle this issue unofficially. For that, they have included the attachment of the doctor's opinion named as “conclusion (1).doc” document.

Finally, the last campaign addressed telecommunications company and aimed to deliver AdvisorsBot via fake job application email. The malicious email attachment supposedly contained the resume of the applicant and was named as “CV (17).doc” file. Evidently, all three campaigns were merely tricks to enable bogus macros and infiltrate the systems with AdvisorsBot.

AdvisorsBot shows sophisticated anti-analysis features

Researchers say that modern malware variants, like AdvisorsBot, became highly sophisticated and can significantly slow down the reverse engineering[4] process due to numerous anti-analysis features. One of the most effective ones is the usage of a junk code which includes the following[5]:

Additional instructions;

Conditional statements;

Loops;

Etc.

Furthermore, IT experts indicate two more anti-analysis features which help the malware to avoid security tools:

Most strings are stored as “stack strings” in which the characters of the string are manually pushed onto stack memory with individual instructions. This makes it more difficult to quickly see the strings the malware uses.

Windows API function hashing, which hinders identification of the malware’s functionality. A Python implementation of the hashing algorithm is available on Github [1].

The conclusion by Proofpoint security researchers indicate that despite the actor decides to distribute AdvisorsBot or other similar infections, IT experts should pay detailed attention. It is essential to monitor the activity of this type of cyber threats to stop the spread of versatile malware which could give the flexibility to the attackers.

About the author

Linas Kiguolis
- Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.